[all-commits] [llvm/llvm-project] 4f2fd3: [InstCombine] Fix miscompile on GEP+load to icmp f...

Hyeongyu Kim via All-commits all-commits at lists.llvm.org
Sun May 30 22:28:21 PDT 2021


  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 4f2fd3818b0eb26806f366bc37369349aeedcaf9
      https://github.com/llvm/llvm-project/commit/4f2fd3818b0eb26806f366bc37369349aeedcaf9
  Author: Hyeongyu Kim <gusrb406 at snu.ac.kr>
  Date:   2021-05-31 (Mon, 31 May 2021)

  Changed paths:
    M llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp
    M llvm/test/Transforms/InstCombine/load-cmp.ll

  Log Message:
  -----------
  [InstCombine] Fix miscompile on GEP+load to icmp fold (PR45210)

As noted in PR45210: https://bugs.llvm.org/show_bug.cgi?id=45210
...the bug is triggered as Eli say when sext(idx) * ElementSize overflows.

```
   // assume that GV is an array of 4-byte elements
   GEP = gep GV, 0, Idx // this is accessing Idx * 4
   L = load GEP
   ICI = icmp eq L, value
 =>
   ICI = icmp eq Idx, NewIdx
```

The foldCmpLoadFromIndexedGlobal function simplifies GEP+load operation to icmp.
And there is a problem because Idx * ElementSize can overflow.

Let's assume that the wanted value is at offset 0.
Then, there are actually four possible values for Idx to match offset 0: 0x00..00, 0x40..00, 0x80..00, 0xC0..00.
We should return true for all these values, but currently, the new icmp only returns true for 0x00..00.

This problem can be solved by masking off (trailing zeros of ElementSize) bits from Idx.

```
   ...
 =>
   Idx' = and Idx, 0x3F..FF
   ICI = icmp eq Idx', NewIdx
```

Reviewed By: efriedma

Differential Revision: https://reviews.llvm.org/D99481




More information about the All-commits mailing list